Suspicious website activity

[FeuerFrei]

I noticed a suspicious looking HTTP request on the website that I run. Can anyone tell me what appears to be going on??
Signup.php is a form. Mailit.php is the mail script called by the form.

[Fri Oct 19 21:24:33 2007] [error] [client 203.121.79.95] File does not exist: /home/*******/public_html/php/signup.php+[PLM=0]+GET+http://www.domain.org/php/signup.php+[0,34566,35686]+->+[N]+POST+http://www.domain.org/php//mailit.php+[R=302][0,0,174]

 

[Markbnj]

This is about all I can tell you. Might be a spider of some kind. Edit: oops, realized I pasted the ARIN record, and not the APNIC record. Corrected.

% [whois.apnic.net node-1]
% Whois data copyright terms http://www.apnic.net/db/dbcopyright.html

inetnum: 203.121.64.0 - 203.121.127.255
netname: TIMETELEKOM
descr: TIME Telecommunications Sdn Bhd
descr: Kuala Lumpur
country: MY
admin-c: AM59-AP
tech-c: AM59-AP
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
remarks: This object can only be updated by APNIC hostmasters.
remarks: To update this object, please contact APNIC
remarks: hostmasters and include your organisation'"'"'s account
remarks: name in the subject line.
remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+
mnt-by: APNIC-HM
mnt-lower: MAINT-MY-TTNET
mnt-routes: MAINT-MY-TTNET
changed: hostmaster@apnic.net 20000510
changed: hostmaster@apnic.net 20010712
status: ALLOCATED PORTABLE
changed: hm-changed@apnic.net 20040708
source: APNIC

person: Azmy Mohamad Yusof
nic-hdl: AM59-AP
e-mail: azmy@isp.time.net.my
e-mail: abuse@isp.time.net.my
address: TIMEdotNet Bhd
address: Level 3, Lot 14 Jalan U1/26 Glenmarie HICOM Industrial Park 40000
address: Shah Alam Selangor Malaysia
address: [abuse] abuse@isp.time.net.my
phone: +6-03-50326131
fax-no: +6-03-50326204
country: MY
changed: azmy@isp.time.net.my 20030217
mnt-by: MAINT-MY-TTNET
source: APNIC

 

[FeuerFrei]

OK it happened again but this time I have more info.

The most complex URLs on my site have a " ?content=page.htm " tacked on, so the referrer here is not my site.

Exact same URL as originally posted.
Though originating from a different IP than last time.

[Tue Oct 23 04:44:00 2007] [error] [client 87.118.104.84] File does not exist: /home/******/public_html/php/signup.php+[PLM=0]+GET+http://www.domain.org/php/signup.php+[0,34566,35686]+->+[N]+POST+http://www.domain.org/php//mailit.php+[R=302][0,0,174]

Again it resulted in a 404 error.
(obviously I edited out the domain above)

The client identifies itself as the following:

Agent: Mozilla/4.0 (compatible; MSIE 5.0; Mac_PowerPC) Opera 5.0 [en]

Looks like the URL is specially formatted for some purpose. I've never seen anything like it. Usually spiders don't make up their own URLs unless they are testing for a 404.shtml document, and it never looks like this. They generally follow existing links.


• Main reason it worries me is that recently spammers have been targeting the Signup.php form more heavily over the last couple weeks and I've been banning IPs regularly. I just have a feeling they are probing for a vulnerability. OR maybe Opera for Mac just has some weird idiosyncrasy.

 

[aCynic2]

Assume the worst. They are probing. Do you have intrusion detection on your server?